Secure entanglement distillation for double-server blind quantum computation 



O 

(N 

in 



Oh. 



> 
00 

m 

O 

cn 



X 
S3 



Tomoyuki Morimae^'B and Kcisukc Fujii^'[l| 

'Department of Physics, Imperial College London, London SW7 2AZ, United Kingdom 
''Graduate School of Engineering Science, Osaka University, Toyonaka, Osaka 560-8531, Japan 

(Dated: February 18, 2013) 

Blind quantum computation is a new secure quantum computing protocol where a client, who 
does not have enough quantum technologies at her disposal, can delegate her quantum computation 
to a server, who has a fully-fledged quantum computer, in such a way that the server cannot learn 
anything about client's input, output, and program. If the client interacts with only a single server, 
the client has to have some minimum quantum power, such as the ability of emitting randomly- 
rotated single-qubit states or the ability of measuring states. If the client interacts with two servers 
who share Bell pairs but cannot communicate with each other, the client can be completely classical. 
For such a double-server scheme, two servers have to share clean Bell pairs, and therefore the 
entanglement distillation is necessary in a realistic noisy environment. In this paper, we show that 
it is possible to perform entanglement distillation in the double-server scheme without degrading 
the security of the blind quantum computing. 



A first generation quantum computer will be imple- 
mented in a "cloud" style, since only limited number of 
groups, such as huge industries and governments, will 
be able to possess it. When a client uses such a quan- 
tum server via a remote access, it is crucial to pro- 
tect client's privacy. Blind quantum computation [l]- 
ll| is a new secure quantum computing protocol which 
can guarantee the security of client's privacy in such a 
cloud quantum computing. Protocols of blind quantum 
computation enable a client (Alice), who does not have 
enough quantum technologies at her disposal, to delegate 
her quantum computation to a server (Bob), who has a 
fully-fledged quantum computer, in such a way that Al- 
ice's input, output, and program are hidden to Bob [ll- 
[ll| . The original protocol of blind quantum computation 
was proposed by Broadbent, Fitzsimons, and Kashefi 
(BFK) [l|]. Their protocol uses the measurement-based 
quantum computation on the cluster state (graph state) 
by Raussendorf and Briegel [l2|. The BFK protocol has 
been recently generalized to other blind quantum com- 
puting protocols which use the measurement-based quan- 
tum computation on the Aflleck-Kennedy-Lieb-Tasaki 
(AKLT) state 0, [isl . [13], the topologically- protected 



measurement-based quantum computation (y, |15|, the 
continuous-variable measurement-based quantum com- 
putation 0, [IB] , and the ancilla-driven model [l3, 12 ] . 
In these protocols, Alice has to emit randomly-rotated 
few particle states. Since a creation of a single parti- 
cle state (such as a single-photon state) is generally not 
easy, several ideas of avoiding it has been proposed. For 
example, a new idea which allows Alice to prepare coher- 
ent states instead of single-photon states has been pro- 
posed [3] . New protocols of blind quantum computation 
for Alice who does only measurements have also been 
proposed [§|. Since preparation of coherent states and 
measurements of polarizations with threshold detectors 
are considered to be much easier than the single-photon 
generation, these new ideas ease Alice's burden. Some 



methods (so called "verification methods") of checking 
whether Bob is doing a correct computation have also 
been proposed [2, [^ . Finally, a proof-of-principle exper- 
iment of the BFK protocol has been achieved recently 
with a quantum optical system [^. 

Let us briefly review the BFK blind protocol [H. For 
details see Ref. [l[. Assume that Alice wants to perform 
the measurement-based quantum computation on the m- 
qubit graph state corresponding to the graph G. The 
quantum algorithm which Alice wants to run is specified 
with the measurement basis {|0) ± e*"^^ |1)} for jth qubit 
[j = l,2,...,m), where (t>j G {^|fc = 0,1,..., 7}. (Note 
that such X — Y plain measurements are universal [l^.) 
The BFK protocol runs as follows (see also Fig.[T]): 

51. Ahcc tells Bob the graph G [13]. 

52. Alice sends Bob (8)^1 1 |6'j), where 16*^) = |0)+e*^j |l) 
and 9j is randomly chosen by Alice from {^\k — 
0,1,..., 7}. 

53. Bob makes \G{e^}) = ( CZ,.,) \0j), 
where E is the set of edges of G and CZij is the 
CZ gate between ith and jth qubits. 

54. Alice and Bob now perform the measurement-based 
quantum computation on \G{6j}) with two-way 
classical communications as follows 
wants Bob to measure jth qubit (j 
of \G{9j}), she sends Bob Sj = 6j+(j) 
rj G {0, 1} is a random binary chosen by Alice and 
4>'j is the modified version of according to the 
previous measurement results, which is the stan- 
dard feed- forwarding of the one-way model fl^ . 
Bob measures jth qubit in the basis {|0) ± e"^^ ]1)} 
and tells the measurement result to Alice. 

We call this protocol the single-server protocol, since 
there is only a single server (Bob). Because Alice's com- 
putational angle (f>j is "one-time padded" with a random 
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FIG. 1: The single-server blind protocol, (a) Alice sends 
many single-qubit states to Bob. QD is a device which emits 
randomly rotated single qubits. (b) Bob creates a resource 
state. Alice and Bob perform the measurement-based quan- 
tum computation through the two-way classical channel. CC 
is a classical computer. 



angle 6j , Bob cannot learn from Sj (for rigorousproofs 
of the security of the BFK protocol, see Ref. [H, H [Hi). 
Furthermore, if Bob is honest, Alice and Bob can per- 
form the correct measurement-based quantum compu- 
tation, since IGRj) = ( <S)u.neE CZ^j) (S)]U\dj) = 

-H)®™, where |+) = 



(i.j)eE ^Zi,j 

— |1)(1|, and therefore Oj in 5j is 



G{e,}) 

{g)™^e-^''./2)((g) 

|0) + |1) and Z = |0)(( 
nicely canceled. In other words, what Bob does is effec- 
tively the measurement-based quantum computation on 
the graph state corresponding to the graph G with the 
measurement angles {</>j}™;]^. 

In the above single-server protocol, Alice has to have 
the ability of emitting randomly-rotated single-qubit 
states, It was shown in Ref. that if we 

have two servers (Bobl and Bob2) who share Bell pairs 
but cannot communicate with each other, Alice can be 
completely classical. (Alice has only to have a classical 
computer and two classical channels, one is between Alice 
and Bobl and the other is between Alice and Bob2.) We 
call such a scheme the double-server scheme, since there 
are two servers. A protocol of the double-server scheme 
runs as follows [3 (see also Fig. (2]): 

Dl. A trusted center distributes Bell pairs to Bobl and 
Bob2 [ll]. Now Bobl and Bob2 share m Bell pairs, 
(|00) + 111))®™. 

D2. Alice sends Bobl classical messages {Oj}^Li^ where 
9j is randomly chosen by Alice from {^|fc = 
0,1,...,?}. 

D3. Bobl measures his qubit of the jth Bell pair in the 
basis {|0)±e-'^^|l)} (j = l,...,m). Bobl tells Alice 
the measurement results G {0, 1}™- 

D4. After these Bobl's measurements, what Bob2 has 
is 0^1 1 Z]' \ej)^ ^"l^ \9j + bjTr). Now Alice and 
Bob2 can start the single-server BFK protocol with 
the modification {OjjJL^ -> {O-j + b-jirjJLj^. 
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FIG. 2: The double-server blind protocol, (a) Bobl and 
Bob2 share Bell pairs. Alice sends classical messages to Bobl. 
Bobl performs measurements on his qubits of the Bell pairs, 
and tells the measurement results to Alice, (b) Alice and 
Bob2 run the single-server blind protocol through the two- 
way classical channel. CC is a classical computer. 



In addition to the advantage of the completely classical 
Alice, the double-server scheme is intensively studied in 
computer science in the context of the multi-prover in- 
teracting proof system and device-independent quantum 
key distribution [H, [2l| . 

Note that the impossibility of the communication be- 
tween two Bobs is crucial in the double-server protocol. 
If Bobl can send some message to Bob2, Bobl can tell 
Bob2 {dj + bjTr}™^j^, and then Bob2 can learn something 
about {(pjYjLi, since Bob2 knows {9j+bjTr+<j>'j+rjTT}JLi. 
On the other hand, if Bob2 can tell Bobl {9j+bj'K-\-(t>'j + 
rjirYj'^i, Bobl can learn something about {(fijYjLi, since 
Bobl knows {6j + bjiryjLi. In these cases, the security 
of Alice's privacy is no longer guaranteed. 

In order to perform the correct double-server proto- 
col, two Bobs must share clean Bell pairs. Sharing clean 
Bell pairs is also crucial in many other quantum infor- 
mation protocols such as the quantum teleportation [22] , 
the quantum key distribution |23l. l24l | and the distributed 
quantum computation |25l429l |. One standard way of 
sharing clean Bell pairs in a noisy environment is the 
entanglement distillation (sol- 33 1. In entanglement dis- 



tillation protocols, two people, say Bobl and Bob2, who 
want to share clean Bell pairs start with some dirty n 
Bell pairs. Then they perform local operations with some 
classical communications, and finally "distill" m {m < n) 
clean Bell pairs [sol - fssj . 

If we consider the application of the entanglement dis- 
tillation to the double-server blind protocol, one huge 
problem is that two Bobs are not allowed to communicate 
with each other in the double-server scheme. Hence, mes- 
sage exchanges between two Bobs, which are necessary 
for the entanglement distillation, must be done through 
the Alice's mediation, i.e., Bobl (Bob2) sends a message 
to Alice, and Alice transfers it to Bob2 (Bobl). It is not 
self-evident that the security of the double-server blind 
protocol is guaranteed even if we plug an entanglement 
distillation protocol into the double-server blind protocol. 
For example, Bobl might send a message to Alice pre- 
tending that it is a "legal" message for the entanglement 
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distillation. Alice might naively forward that message 
to Bob2 without noticing Bobl's evil intention and be- 
lieving that it is a harmless message. In this case, Bobl 
can indirectly send some message to Bob2, and hence the 
security of the double-server protocol is no longer guar- 
anteed. 

If the entire entanglement distillation is completed be- 
fore starting the double-server protocol, and if Alice del- 
egates her computation to Bobs only once, then the com- 
munication between two Bobs during the entanglement 
distillation is harmless, since when they are doing the en- 
tanglement distillation, messages related to Alice's com- 
putation are not yet sent to Bobs. However, if Alice del- 
egates more than twice, then two Bobs might exchange 
information about the previous double-server computa- 
tion during the entanglement distillation for the next 
round of the computation as in the case of the "device- 
independence" argument of the quantum key distribution 
with devices having memory [34|. Furthermore, the en- 
tanglement distillation might be done in parallel with the 
double-server protocol in order to avoid a decoherence. In 
these cases, we must be careful about the communication 
between two Bobs during the entanglement distillation. 

In this paper, we show that it is possible to perform en- 
tanglement distillation in the double-server scheme with- 
out degrading the security of blind quantum comput- 
ing. Throughout this paper, we denote four Bell states 
by IV^,:.) = (/ «) X^Z^)(|0) ® |0) + |1) (E> |1)), where 
{z,x) e {0,1}2 and X = |0)(1| + |1)(0|. 

Protocol. — As in the case of the original BFK double- 
server protocol, a trusted center generates n Bell states, 
iV'oo)®"! and distribute them to two Bobs; one qubit of 
each IV'oo) is sent to Bobl and the other to Bob2. Due 
to the noise in the channel between the center and Bobs, 
each Bell state decoheres, iV'oo) ^ P- Hence two Bobs 
share n inpure pairs p®", where p is a dirty Bell state: 
one qubit of p is possessed by Bobl and the other is by 
Bob2. Without loss of generality, we can assume that p 
is the Werner state, p = Fipu + ^^-^^(V'oo + V'oi + i'lo), 
where V' = If it is not the Werner state, it can 

be converted into the Werner state by using the twirling 
operation (after applying / (gi XZ) [31|. In order to per- 
form the twirling operation, Alice has only to randomly 
choose a SU{2) operator, and tell its classical description 
to two Bobs. Therefore the twirling operation does not 
affect the security. 

Since p is Bell-diagonal, p®" is the mixture of tensor 
products of Bell states: 

n 

(2i,a:i,...,z„,x„)e{0,l}^" J = l 

Alice randomly chooses a 27i-bit string si and sends it to 
two Bobs. This si is chosen completely randomly being 
independent of other parameters (such as 0j, (pj, etc.). 
Each Bob then performs certain local unitary operation 



which is determined by si. (The detail of the unitary 
operation, which is irrelevant here, is given in Ref. [3l|.) 
Each Bob measures a qubit of a single pair in the compu- 
tational basis, and tells the measurement result to Alice. 
(Which pair is measured is also determined by si [sif.) 
From these measurement results, Alice can gain a single 
bit of information about p{zi,xi, ...,z„,a;„) |3l| . 

Since a single pair is measured out, now two Bobs 
share n — 1 pairs. If Alice and two Bobs repeat a simi- 
lar procedure (i.e., Ahce randomly chooses a 2{n — l)-bit 
string S2 and tells it to two Bobs. Two Bobs perform 
local operations, measure a single pair in the computa- 
tional basis, and tell the measurement results to Alice), 
Alice can gain another single bit of information about 

p(zi, Xl, Zji , Xn ) . 

The probability distribution p(zi, xi, z„, x„) has al- 
most all its weight for a set of 2"'^('') "likely" strings, 
where S{p) is the von Neumann entropy of p. The prob- 
ability that a 2n-bit string (zi, xi, 2;„, x„) falls out- 
side of the set of the 2"'^'^('')"'"'^) most probable strings 
is 0{e~'^ ") (sfj. Therefore, Alice can (almost) specify 
p(zi, Xl, Zn, Xn) if she gains nS{p) bits of information 
about p(zi, Xl, z„, Xn). This means that it is suffi- 
cient for Alice and two Bobs to repeat the above proce- 
dure for nS{p) times. Then, two Bobs spend nS{p) pairs 
for measurements, and therefore at the end of the dis- 
tillation they share m = n — nS{p) pairs, {2)Jli \''Pzj,xj)i 
where {zj,Xj) G {0,1}^. Alice knows the 2m-bit string 

, Xl , . . . , ^771 , Xtti) ■ 

After the distillation. Alice and two Bobs can start the 
double-server protocol. Now we modify the double-server 
protocol as follows: 

Dl'. Two Bobs share {g)Jl^ \^z,,x,)- 

D2'. Alice sends Bobl classical messages {9^ = 
(—1)^30^- -I- Zjir}™^^, where 9j is randomly chosen 
by Alice from {^\k = 0, 1, 7}. 

D3'. Bobl measures his qubit of the jth Bell pair in the 
basis {|0)±e-^®^ |l)} (j = l,...,m). Bobl tells Alice 
the measurement results {bj}"Li G {0, 1}™. 

D4'. The same as D4. 

Since D4' is the same as D4, it is obvious that Alice can 
run the correct single-server blind quantum computation 
with Bob2. 

Bobl cannot send any message to Bob2. — Let us show 
that Bobl cannot send any message to Bob2. What 
Bob2 receives from Alice are bit strings, si, Sn-rm and 
{9 J + bjTT + 0^ + r^Tr}^^. Since si, ...,s„_,„ are com- 
pletely uncorrelated with what Bobl sends to Alice, Bob2 
cannot gain any information about Bobl's message from 
si, Sn-m- Since 9j + bji: + 4>'j + rjir is related with 
bj, which is sent from Bobl to Alice, one might think 
that Bobl can hide his message into bj, and send it to 
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Bob2 through 9j + bjir + + rjir. However, rj is ran- 
domly taken by Ahcc from {0,1} being independent of 
what Bobl sends to Ahce. Therefore, Bob2 cannot gain 



any information about bj from 9j 



■ bjTT + ( 



■ -|-r,-7r. 



Bobl 



and Bob2 share entangled pairs. However, due to the no- 
signaling principle, only sharing entangled pairs is useless 
for message transmission. Hence Bobl cannot send any 
message to Bob2. 

Bob2 cannot send any message to Bobl. — Next let us 
show that Bob2 cannot send any message to Bobl. What 
Bobl receives from Alice are bit strings, si, Sn-m, and 
{9'j = {-ly^Bj + ZjTT}JL^. Again, si, Sn-m, are use- 
less for the message transmission from Bob2 to Bobl. 
Since Xj and Zj are related with Bob2's measurement 
results during the distillation, one might think that 6j 
can be used for the message transmission from Bob2 to 
Bobl. However, 9j is randomly chosen by Alice from 
{^\k = 0,1, ...,7} being independent of what Bob2 
sends to Alice and (zi, xi, z^, Xm). Therefore, Bobl 
cannot gain any information about Bob2's message from 
9'j. Again, sharing entangled pairs is useless. Hence Bob2 
cannot send any message to Bobl [35 1. 

Two Bobs cannot learn Alice 's computational 
information. — Finally, let us show the security of 
Alice's computational information. First, from Bob2's 
view point, the difference between our protocol (i.e., the 
distillation plus the modified double-server protocol) 
and the original BFK double-server protocol is only 
that Bob2 receives bit strings, si,...,s„_m, from Alice. 
However, these bit strings are completely uncorrelated 
with Alice's computational information. Therefore, our 
protocol is as secure as the original BFK double-server 
protocol against Bob2. 

Second, from Bobl's view point, the differences be- 
tween our protocol and the original BFK double-server 
protocol are 



(i) Bobl receives bit strings, si, . 

(ii) Bobl receives 9'^ = 9j 
from Alice {j = 1, 2, m). 



from Alice. 



ZjTT instead of 9j 



Again, we can safely ignore (i), since those bit strings 
are uncorrelated with Alice's computational informa- 
tion. Regarding (ii): since 9j is randomly taken from 
{^\k = 0, 1, 7} being independent of Alice's compu- 
tational information and (zi, xi, z™, Xm), Bobl can- 
not gain any information about Alice's computation from 
9'j. Since 9'^ is as random as 9j, our protocol is as se- 
cure as the original double-server BFK protocol against 

Bobl [ai. 

Discussion. — Let us point out that there is another in- 
teresting proof of the security: we can show that our pro- 
tocol can be mapped into an instance of the BFK double- 
server protocol with certain deviations by two Bobs. The 
BFK double-server protocol is secure against any Bobs' 
deviations. Hence, the violation of the security of our 



protocol means the violation of that of the BFK double- 
server protocol. 

First, in our protocol, states sent from the center to 
two Bobs decohere. In the BFK double-server protocol, 
two Bobs can do any operations on the Bell pairs sent 
from the center, and such operations can be accidentally 
equivalent to the noise |37| . Second, in our protocol, the 
distillation is performed. However, in the BFK double- 
server protocol, Bobl can generate random bit strings, 
si, Sn-m, by himself, and perform the local unitary 
operations and measurements specified by si, Sn-m- 
Bob2 can also generate random bit strings, s'l, ...,s^_^, 
by himself, and perform the local unitary operations and 
measurements specified by s'l, s'„_^ . It is possible that 



accidentally Sj = s'j for all j [37[. Finally, in the step 
D2', Alice sends Bobl {9'^ = (-l)^^6ij + ZjTrj^'i^, and in 
the step D3', Bobl does the measurements in these an- 
gles. However, in the BFK double-server protocol, Bobl 
can deviate in the following way: in the step D2, al- 
though he receives {9j}J^i from Alice, he changes it into 
{ry EE i~ir^9,+p,7r}JU, where (a„/3,) € {0, 1}^ is 
randomly chosen by Bobl. In the step D3, Bobl does 
the measurements in the basis {|0) ± e""*^ |1)}™^]^. It is 
possible that accidentally {aj,(3j) = (xj, Zj) for all j [37 1. 
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